FY 2019 Department of Transportation Security Awareness Training for
64 Slides1.71 MB
FY 2019 Department of Transportation Security Awareness Training for Federal Employees and Contractors NEXT ›› ‹‹ BACK NEXT ››
Overview You are the Department of Transportation’s (DOT’s) best defense against those who seek to disrupt the Agency’s transportation systems and business processes and want to negatively affect the security posture of the United States. As a DOT federal employee or contractor, you must: Be familiar with DOT Information Systems Security (ISS) policies, procedures, and best practices; Understand the risks associated with your activities while accessing DOT systems and information; and Understand your responsibilities and obligations for protecting DOT data, information, and information system assets. ‹‹ BACK NEXT ›› 2
Goal of Training This Security Awareness Training (SAT) will: Focus your attention on the most pertinent DOT policies, procedures, and best practices as they relate to information security; Highlight the risks associated with accessing DOT systems and information; and Identify your responsibilities for protecting DOT systems and information from unauthorized access and disclosure. ‹‹ BACK NEXT ›› 3
Why this Training is Required You must take this training because: You are part of the DOT workforce (a DOT federal employee, contractor, subcontractor, intern; on detail with the DOT; or a temporary DOT worker); You have access to DOT systems and information; You have an obligation and responsibility to protect DOT information and systems from unauthorized access or disclosure; and SAT is required by federal law and DOT policy. DOT Workforce Required by law ‹‹ BACK NEXT ›› 4
Policy References and Requirements Which federal laws and DOT policies identify the Security Awareness Training requirement? Federal Requirements: – Federal Information Security Modernization Act (FISMA) of 2014 – OMB Circular A-130, Appendix III, paragraph 3 (2)(a) – OMB M-07-16 - Safeguarding Against and Responding to the Breach of Personally Identifiable Information DOT Policy – DOT Order 1351.37 Departmental Cybersecurity Policy – Departmental Cybersecurity Compendium Version 4 ‹‹ BACK NEXT ›› 5
Acknowledgments What is Expected of Me? Before gaining access to DOT information systems (or within 30 days of on-boarding), all DOT users must: – Read and agree to the DOT Rules of Behavior – Complete the annual SAT – Certain members of the DOT workforce that have elevated ISS responsibilities may be required to complete additional specialized training for their assigned role. Ask your supervisor if you are eligible for specialized cybersecurity training. ‹‹ BACK NEXT ›› 6
DOT Rules of Behavior What are the DOT Rules of Behavior? The DOT Rules of Behavior contains guidance for users of DOT systems and IT resources that access, store, receive, or transmit DOT information. Do the Rules of Behavior apply to you? The rules apply to any individual using DOT Information Technology (IT) resources or personal IT resources to conduct DOT business. NOTE: If you do not agree with the DOT Rules of Behavior, the DOT will not allow you to access its network or systems. ‹‹ BACK NEXT ›› 7
Protecting DOT Data and Information Why Protect DOT Data and Information? The information and data you use at work is essential to the DOT and its mission to maintain a safe and efficient transportation system. Access to reliable DOT information allows you and your colleagues to perform your jobs. Some information you use requires stronger protection and enhanced handling procedures to ensure that it is not misused or accessed by unauthorized individuals. ‹‹ BACK NEXT ›› 8
Accessing DOT Systems and Resources Use of DOT information and data is essential to the DOT and its Modes to maintain a safe and efficient transportation system. DOT resources are the devices, hardware, and information needed to get the job done. What are DOT IT Systems and Resources? Workstations, laptop computers, tablets, servers; The network infrastructure (e.g., wiring and cable, routers, switches, printers, etc.); Cellular, mobile, smart phones, text messaging systems (e.g., BlackBerry Messenger and iPhone); Plug-in and wireless add-ons that employ removable media (e.g., USB flash memory (thumb) drives, external drives, diskettes, CDs, DVDs, etc.); and, DOT information, data, reports, websites, etc. ‹‹ BACK NEXT ›› 9
Accessing DOT Systems and Resources Accessing DOT Systems The DOT provides you access to its network and systems to conduct official business on behalf of the DOT. – You are responsible for the security of your account name, password, and the information and data you access with your account. – You have no reasonable expectation of privacy when using a DOT information system. – To protect the DOT network and systems from misuse or unauthorized access, the DOT reserves the right to monitor the DOT network and all attached systems, including all activity on your system. You must agree to abide by the DOT Rules of Behavior. ‹‹ BACK NEXT ›› 10
Accessing DOT Systems and Resources (cont) Access to DOT Systems You must complete annual training: – Mandatory completion of SAT – System-specific training (as required). – Specialized information security role-based training (if applicable to your job duties). Refer to Appendix D of the DOT cybersecurity Compendium for more information on which roles require specialized training. NOTE: If you do not agree with the DOT Rules of Behavior or the Monitoring of your activities, you must not use the DOT network or any DOT system. ‹‹ BACK NEXT ›› 11
Question 1 1. What are DOT IT resources? (Check all that apply) Workstations, laptop computers, servers The network infrastructure (e.g., wiring and cable, printers, etc.) Tablet computers (e.g., Android Tablet, Pilot, iPad, etc.) Smart phones, text messaging systems (e.g., Android and iPhone) Plug-in and wireless add-ons that employ removable media (e.g., USB flash memory aka thumb drives, external drives, diskettes, CDs, DVDs, etc.) DOT information, data, reports, websites, etc. ‹‹ BACK NEXT ››
DOT Internet and Email (1 of 3) Limited Personal Use The primary function of the DOT Internet and email systems is for business use only. Your limited personal use of the Internet and email system must not: Compromise the security of DOT information and information systems, Interfere with DOT’s normal business operations, or Keep any DOT employee or contractor from performing their assigned DOT duties. Access to or use of certain activities are strictly prohibited on DOT systems and may result in termination from the DOT, and/or other disciplinary actions. Examples include, but are not limited to: Accessing pornographic material, Gambling, and Operating a private business. Warning: Your use of the DOT Internet and all e-mail received, stored, or transmitted is monitored and may be intercepted by DOT for any lawful purpose, including ensuring compliance and detection of cyber threats, including your username(s), account logon ID, password(s), credit card number(s), and other, potentially personal, information. ‹‹ BACK NEXT ›› 13
DOT Internet and Email (2 of 3) Appropriate Use of DOT Internet or Email You may use the DOT Internet or Email for valid work requirements, including but not limited to: – Exchange of information that supports the DOT mission, goals, and objectives. – Job related professional development for DOT workforce personnel. – Access to scientific, technical, and other information that has relevance to the DOT. – Business-related communications with colleagues in Government agencies, academia, and industry. ‹‹ BACK NEXT ›› 14
DOT Internet and Email (3 of 3) Inappropriate Use of DOT Internet or Email You may not use the DOT Internet or Email to: – Stream audio or video (unless work related). – Download or share files from peer-to-peer networks. – Attempt unauthorized access to information systems. – Host any type of internet server or connect to personal devices – Auto-forward DOT e-mail to a personal account. – Respond to, send, CC, or forward jokes, chain emails, or offensive content. – Send DOT information to your personal accounts. ‹‹ BACK NEXT ›› 15
Social Media Social Media There are very limited times you may use social media for personal reasons at work. The DOT has established a Social Media Policy (“Web-based interactive Technologies Policy”) for employees to follow when using social media platforms (Facebook, Twitter, Myspace, YouTube, etc.) All DOT workforce personnel must follow the DOT Social Media Policy and adhere to the Standards of Ethical Conduct for Employees of the Executive Branch, 5 CFR, Part 2635, whether their social media activities are work related for official business or personal in nature. Use of social media/networking sites, blogs, and instant messaging is outlined in DOT Order 1351.33, Appendix A Employee Conduct Policy. Using social media at work must be part of your job function or for professional development purposes ‹‹ BACK NEXT ›› 16
Social Media continued Mentioning DOT in an Official Capacity – Employees are not authorized to act as official Government representatives without permission from the Office of Public Affairs. Mentioning DOT in Personal Remarks – Your use of social media is subject to First Amendment protections. However, if your personal views on a subject may be attributed to DOT’s official position, include a disclaimer that says: “The views expressed here are my own and not necessarily those of DOT.” – Employees with public-facing roles and responsibilities must consider whether personal thoughts published online, even in personal venues, may be misconstrued as expressing DOT policy. ‹‹ BACK NEXT ›› 17
Care and Use of GFE Use of Government Furnished Equipment (GFE) By using your DOT furnished equipment, you must: Never make unauthorized changes to your GFE or attempt to circumvent the implemented security measures. Agree to the monitoring of your activities. Not install unauthorized software. Not allow other users to use your logon ID and password to access DOT systems. Comply with all software copyrights and license agreements. Never view or download pornographic or offensive content. NOTE: Do not make unauthorized changes to your government furnished equipment or attempt to circumvent the implemented security measures. ‹‹ BACK NEXT ›› 18
Care and Use of PED Portable Electronic Devices (PED) Use Requirements You must only use GFEs and PEDs to access DOT systems. – All industry and/or personal devices must be explicitly approved and authorized before use to access DOT system. Ensure anti-virus and firewall software is installed and up-to-date. Never connect your laptop to a DOT network and a non-DOT network at the same time. Use DOT-approved encryption software for storing and transmitting all PII and DOT-sensitive information. Only use DOT approved Bluetooth and wireless communication devices with your DOT equipment. Be aware of the dangers associated with mobile “hot spots” and use secure connections when possible. Install DOT-approved full hard disk encryption. ‹‹ BACK NEXT ›› 19
Travel with GFEs and PEDs Travel with GFEs and PEDs When traveling with DOT provided laptops and mobile devices, you must: – Take precautions to prevent theft, damage, abuse, or unauthorized use. – Keep equipment under physical control at all times . What does “physical control” mean? ‒ Maintain sight of equipment to the best of your physical ability when going through airport security. ‒ Never place DOT equipment in checked luggage. ‒ Never store DOT equipment in public lockers. ‒ If you must leave DOT equipment unattended, you must physically secure it in the highest reasonable manner for the environment. (e.g. lock it out of sight in a vehicle trunk, lock it in a hotel room or safe, etc.) ‒ Follow the DOT ROB when taking a DOT-issued laptop or mobile device on foreign (non-US) travel. ‹‹ BACK NEXT ›› 20
Personal Identity Verification (PIV) Card Your Personal Identity Verification (PIV) Card Your PIV Card is more than a picture ID. It contains sensitive information about you and your system access rights. Protecting passwords and PIV Cards is a first-line defense against internal cyber threats. – Never leave a PIV card unattended on a desk or in a workstation. – Never share your PIV card or Personal Identification Number (PIN). If your PIV Card is lost or stolen, you must report the loss immediately to your supervisor and to your security servicing organization. ‹‹ BACK NEXT ›› 21
Passwords Passwords and Access Control Measures Each user must have his or her own unique logon account. Passwords must: – Be at least (12) characters long* and have a combination of letters (upper- and lowercase), numbers and special characters; and, – Be updated at least every 60 days, or immediately if you suspect your password has been compromised. Always protect passwords, PINS, and access numbers. – Never share a password with anyone, including system administrators. – Do not write passwords down or store them in an electronic file on workstations, laptops, or personal technology, unless the file is encrypted. – Make sure no one is watching when you enter your password or PIN. * Some systems have an approved waiver for passwords with fewer than 12 characters. ‹‹ BACK NEXT ›› 22
What is Personally Identifiable Information? What is PII? Any information about a human being, living or deceased, regardless of nationality, that is maintained by a federal agency and permits identification of that individual to be reasonably inferred by either direct or indirect means. PII includes, but is not limited to: – – – – – – – Name Social Security Number Date and place of birth Mother’s maiden name Biometric records Medical records Educational records – – – – Financial information Employment information Driver's license Criminal history and investigation – Leave balance used – Drug testing results – National origin ‹‹ BACK NEXT ›› 23
Question 2 2. Personally Identifiable Information (PII) is any information about a human being, living or deceased, regardless of nationality, that is maintained by a federal agency and permits identification of that individual to be reasonably inferred by either direct or indirect means. (Select one) True False ‹‹ BACK NEXT ››
Question 3 3. Who is responsible to protect Personally Identifiable Information (PII), Controlled Unclassified Information, and other DOT sensitive data? (Select one) All DOT employees and contractors who use DOT information systems. Only DOT employees and contractors authorized to access the data. Supervisors of the DOT employees and contractors with access to the data. The Information System owner of the system where the data resides. ‹‹ BACK NEXT ››
Question 4 4. Which is a permitted use of DOT Internet or DOT email? (Select one) Stream audio or video (non-work related). Download or share files from peer-to-peer networks Attempt unauthorized access to information systems. Auto-forward DOT email to personal account(s). Respond to, send, or forward jokes, chain emails, or offensive content. Send DOT sensitive information to your personal account(s). None of the above. ‹‹ BACK NEXT ››
Question 5 5. Valid uses of the DOT Internet include: (Select all that apply) Job related professional development for DOT workforce personnel. Access to scientific, technical, and other information that has relevance to the DOT. Official communications with colleagues in Government agencies, academia, and industry Operating a private business. Gambling. Limited access to social media when you are on break or are having lunch, as to not interfere with your job responsibilities. Exchange of information that supports the DOT mission, goals, and objectives. Accessing pornographic material. ‹‹ BACK NEXT ››
Question 6 6. When travelling with your Government Furnished Equipment, you should? (Select all that apply) Maintain sight of equipment to the best of your physical ability when going through airport security. Never place DOT equipment in checked luggage. Never store DOT equipment in public lockers. If you must leave DOT equipment unattended, you must physically secure it in the highest reasonable manner for the environment. Follow the DOT ROB when taking a DOT-issued laptop or mobile device on foreign (non-US) travel. ‹‹ BACK NEXT ››
Question 7 7. When dealing with PII or sensitive data, all DOT Federal Employees and Contractors must: (Select all that apply) Protect PII and sensitive information from unauthorized disclosure. Utilize DOT-approved encryption software when transmitting or storing PII or sensitive data. Only access PII and other sensitive data for which you are authorized. Only send PII and other sensitive data to your personal account when teleworking. Only use DOT approved devices for storing and processing PII and other sensitive data. Obtain proper approval before responding to an external agency request for PII or sensitive information. Lock workstation and laptops while away, even for a short time. (e.g., going to the bathroom, retrieving items from the printer, etc.) Protect all PII and sensitive data as if it were your own. ‹‹ BACK NEXT ››
Question 8 8. Passwords must: (Select all that apply) Be at least twelve (12) characters long. Have a combination of letters (upper and lower case), numbers and special characters. Be updated at least every 60 days. Be updated immediately if you suspect your password has been compromised. Always be shared with your supervisor upon request or in response to an ISS incident. ‹‹ BACK NEXT ››
Question 9 9. When are you permitted to leave your Personal Identity Verification (PIV) Card unattended? (Select one) Only when it is inserted into your DOT issued computer or laptop, and you are going to your local printer to retrieve DOT related information. Only when it is inserted into your DOT issued computer or laptop, and you are going to the bathroom. Only when it is located within your DOT workstation (but not in the computer or laptop) and the workstation is secured by physical guards. Never. ‹‹ BACK NEXT ››
Controlled Unclassified Information What is Controlled Unclassified Information ? Information and data are both necessary to operate DOT systems. Because of the sensitive nature of the information you must place a degree of control over its use and dissemination. Examples of CUI data include, but are not limited to: IP addresses of DOT systems Account logon information Passwords System vulnerability information Business records Operating procedures Security plans Other information that the DOT deems sensitive ‹‹ BACK NEXT ›› 32
Classified Information What is Classified Information? Classified information is material that a government body has determined is sensitive and requires protection of confidentiality, integrity, or availability. Access is restricted by law or regulation to particular groups of people. A formal security clearance is required to handle classified documents or access classified data. Mishandling of classified material can incur criminal penalties. ‹‹ BACK NEXT ››
Data Breach and Identity Theft What is a Data Breach? A data breach is the loss of control, or unauthorized access to personally identifiable information, whether physical or electronic. A data breach can occur through data mining, which is when technology is used to discover information in massive databases, uncover hidden patterns, find subtle relationships in existing data, and predict future results. – According to the 2015 Ponemon Institute Global Data Breach Study, the cost of a data breach is 214 per record – The average total per-breach cost in 2015 was 3.79 million. ‹‹ BACK NEXT ›› 34
Data Breach and Identity Theft (cont) What is Identity Theft? When someone uses your PII such as your name, SSN, or credit card number, without your permission, to commit fraud or crimes. Identity theft is a felony under the Identity Theft and Assumption Deterrence Act of 1998. ‹‹ BACK NEXT ›› 35
Protecting Sensitive Data and Information Protecting Sensitive Data and Information As a user of DOT information systems, it is your responsibility to protect PII, CUI, and other DOT sensitive data by: Ensuring DOT information and records are properly stored, handled, and/or disposed of, in accordance with DOT policy. Not disclosing DOT information (in any form), except – Only when authorized, – On a “need to know” basis, or – Required by federal law obligations such as the Freedom of Information Act. Not providing DOT information obtained through government employment to another person or organization, which is not otherwise available to the public. Not using information obtained through government employment which is not otherwise available to the public. Warning: You must NOT access, process, or store classified information on any device that has not been authorized ‹‹ BACK NEXT ›› 36
Protecting Sensitive Data and Information (cont) How Do I Protect DOT Sensitive Data and Information? All DOT workforce personnel must: Utilize DOT-approved encryption software when transmitting or storing PII or sensitive data. Only access PII and other sensitive data for which you are authorized. Only use DOT approved devices for storing and processing PII and other sensitive data. Obtain proper approval before responding to external agency request for PII or sensitive information. Lock workstations and laptops while away, even for a short time. (e.g. going to the bathroom, retrieving items from the printer, etc.). Protect all PII and sensitive data as if it were your own. ‹‹ BACK NEXT ›› 37
Question 10 10. Which of the following examples does not qualify as Controlled Unclassified Information (CUI)? (Select one) IP addresses of DOT systems. Account logon information. Passwords. System vulnerability information. Business records. Operating procedures. Security plans. None of the above. ‹‹ BACK NEXT ››
Remote Access (1 of 4) Teleworking The DOT permits certain workforce personnel to complete job responsibilities from a location other than their normal workplace. Before you telework, you must: – Be designated as a telework employee. – Familiarize yourself with and adhere to the DOT Order 1501.1A Telework Policy. – Have an approved telework agreement in place. – Have an agreed upon work schedule with your manager. – Contact your manager or visit the DOT telework website for additional information on teleworking and to see if you are eligible. ‹‹ BACK NEXT ›› 39
Remote Access (2 of 4) Teleworking Continued While you are teleworking, you must: – Follow security practices that are the same as or equivalent to those required at your primary workplace. – Adhere to all provisions of your telework agreement. – Protect PII and sensitive data at your alternate workplace by: Only using GFEs to download and/or store PII and other DOT data. Use DOT-approved encryption software when transmitting or storing PII or DOT sensitive data. Properly dispose of sensitive information. ‹‹ BACK NEXT ›› 40
Remote Access (3 of 4) Bring Your Own Device (BYOD) Users may only access DOT information systems and networks using DOT-provided or approved personally-owned technology (e.g., personal computer, laptop, printer, smart phone, tablet, etc.). . Warning: Understand that a security incident involving your personally-owned technology may result in: the seizure of your personally-owned technology, the loss of software you may have purchased, andthe loss of all personal data on the technology ‹‹ BACK NEXT ›› 41
Remote Access (4 of 4) Bring Your Own Device (BYOD) When using personally-owned technology on a DOT network, you must: – Complete and sign the appropriate technology agreement(s). – Allow authorized personnel to monitor and examine your technology upon request. – Use DOT-approved security and encryption software for storing or sending DOT-sensitive information or PII. – Allow the installation and use of strong authentication (for example, PIV card). – Agree to allow the DOT to wipe the technology if it is lost or stolen. Warning: Understand that a security incident involving your personally-owned technology may result in: the seizure of your personally-owned technology, the loss of software you may have purchased, and the loss of all personal data on the technology ‹‹ BACK NEXT ›› 42
Your Home Computer and Personal Data (1 of 3) Protecting your systems and data at home is just as critical as it is at work. Here are some tips to protect your home computers and your data. Keep your home devices up-to-date – Install a good anti-virus software on every computer in your home and keep it upto-date. – Be cautious of installing free and shareware software – they may contain malicious code. – Install all security updates to installed software immediately. – Enable the automatic update feature of your software. Email – Do not open emails and attachments from people that you do not know. – Do not click on links in emails from people that you do not know. – Never respond to requests to provide your personal information or account numbers. – Delete suspect emails so that you do not click on them in the future. ‹‹ BACK NEXT ›› 43
Your Home Computer and Personal Data (2 of 3) Here are some tips to protect your home computer and your data. Internet use – Use caution when surfing or searching the web. – Use caution when ordering merchandise or services over the Internet. – Make sure that the website uses a secure mode (HTTPS) before you enter your password, credit card number, other personal information. – Be wary of transfers from the website you visited. Social Media – Never post work related information on your personal social media sites. – Restrict your interactions on social media sites to people you know. – Remove geocaching data from your photos before you post them. ‹‹ BACK NEXT ›› 44
Your Home Computer and Personal Data (3 of 3) Kids and Safe Computer use – Never allow your children, spouse, or others to use your DOT computer, laptop, smart phone, or other DOT equipment to play games or access the Internet. – Monitor your kids activity while they are on-line. – Restrict their website access to age-appropriate content that you review and approve. – Know who your kids are communicating with via email, chat, and other social media sites. – Teach your kids not to place personal information such as home address, age, gender, school information, etc. on websites, social media sites, or in emails. – Don’t let your kids download software, files, music, videos, etc. without your permission. You can find more resources for keeping your kids safe online at http://www.safekids.org/. ‹‹ BACK NEXT ›› 45
Question 11 11. Before you telework, you must: (Select all that apply) Be designated as a telework eligible employee. Purchase a personal laptop or computer to utilize when connecting with DOT information systems. Familiarize yourself with and adhere to the DOT Order 1501.1A Telework Policy (PDF). Have an approved telework agreement in place. Remove all non-DOT issued equipment connections from your offsite Wi-Fi network. Have an agreed upon work schedule with your manager. Visit the DOT telework website for additional information on teleworking and to see if you are eligible. ‹‹ BACK NEXT ››
Question 12 12. When you use laptops and other portable devices, you must: (Select all that apply) Only use DOT issued laptops and portable devices to access DOT systems (unless otherwise explicitly authorized). Ensure anti-virus and firewall software is installed and up-to-date. Utilize any type of encryption software for storing and transmitting all PII and DOT sensitive information. Only use DOT approved Bluetooth and wireless communication devices with your DOT equipment. Be aware of the dangers associated with mobile “hot spots” and use secure connections whenever possible. ‹‹ BACK NEXT ››
Question 13 13. When using personally-owned technology on a DOT network, you must: (Select all that apply) Complete and sign the appropriate technology agreement(s). Allow authorized personnel to monitor and examine your technology upon request. Use DOT-approved security and encryption software for storing or sending DOT-sensitive information or PII. Allow the installation and use of strong authentication. (e.g., PIV card) Agree to allow the DOT to wipe the technology if it is lost or stolen. Understand that a security or privacy incident involving your personallyowned technology may result in: the seizure of your personally-owned technology, the loss of software you may have purchased, and the loss of all personal data on the tech ‹‹ BACK NEXT ››
Question 14 14. Users of DOT systems have a constitutionally protected right to privacy win using a DOT information system. True False ‹‹ BACK NEXT ››
Understanding the Risks (Threats) Hackers are always trying to break in to Government systems for various reasons. – For bragging rights, for fun, or just to prove that they can. – To disrupt normal service. – To gain valuable information on projects for unfair competitive gain. – To gain access to your personal data so they can steal your identity. Hackers use many methods to gain unauthorized access to government systems. They often: – Take advantage of vulnerabilities in software to break in to Government systems. – Use emails to entice you to provide your personal information. – Lure you to click on malicious links on websites. – Call you on the phone and ask for the information they want. – Offer you free software, subscriptions, USB drives, CDs, or DVDs. ‹‹ BACK NEXT ›› 50
Understanding the Risks (Phishing) Phishing is an attempt to convince you to give up your personal information, usually through an email from an authentic looking source (e.g., a system administrator, your bank, credit card company, or maybe even from someone you know). – You should delete the email so that you don’t accidently click on it in the future. – Do not respond to the email. – Do not give out your personal information to an unsolicited email request. – Never give out your user name or password. – Do not subscribe to offers of “free” services or subscriptions. Spear Phishing is a targeted phishing attempt toward a specific person or group of people. – Do not respond to any spear phishing messages. – You should report spear phishing attempts to the FAA CSMC so they can alert others in the affected group ‹‹ BACK NEXT ›› 51
Spear Phishing and Whaling Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Spear-phishing attempts are not typically initiated by random hackers, but are more likely to be conducted informed perpetrators for financial gain, trade secrets or protected information. A whaling attack is a spear-phishing attack directed specifically at high-profile targets like CEOs, CFOs or high ranking government officials in order to steal sensitive information from lsa organization. In many whaling attacks, the attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker. ‹‹ BACK NEXT ››
Security Begins with You! In order to avoid cyber incidents that could compromise DOT systems and information, you must: Know your responsibilities for protecting DOT systems and data. Understand the risks associated with the actions you take while using DOT systems or accessing DOT information and data. Know how to handle and protect the equipment that DOT provides to you for your assigned job. Know what you are permitted and NOT permitted to do while using the DOT equipment. Understand your responsibilities when teleworking. Understand your responsibilities while traveling on official DOT business. If you believe that you have opened a suspected malicious email, you must report this to the DOT Security Operations Center (SOC) immediately. ‹‹ BACK NEXT ›› 53
Question 15 15. Hackers and social engineering scammers use many methods to gain unauthorized access to government systems. They often: (Select all that apply) Take advantage of vulnerabilities in software to break into government systems. Use emails to entice you to provide your personal information. Lure you to click on malicious links on websites. Call you on the phone and ask for information they want. Offer you free software, subscriptions, USB drives, CDs, or DVDs. ‹‹ BACK NEXT ››
Question 16 16. Phishing is an attempt to convince you to give up your personal information, usually through an email from an authentic looking source. True False ‹‹ BACK NEXT ››
Question 17 17. If you suspect an email phishing attempt, you should? (Select all that apply) Report the email to the DOT Security Operations Center (SOC)( [email protected]) within one (1) hour of the discovery. After reporting the email to the DOT SOC, delete it so you don’t accidentally click on it in the future to be removed from the sender’s mailing list. Click on the links provided in the email to confirm it is a valid phishing attempt. ‹‹ BACK NEXT ››
Question 18 18. If you receive an unrequested email, even from a valid sender within the DOT, that has a cryptic message and questionable attachment or links, you must: (Select all that apply) Contact sender via a separate communication method (e.g. email, phone call, text, etc.) and verify validity of email. Never download or open attachments, without verification from the sender that the email is valid. Never click links within the email, without verification from the sender that the email is valid. Immediately delete unverifiable email. If unverifiable email appeared to be from a DOT email address, report this suspected phishing attempt to the DOT SOC ‹‹ BACK NEXT ››
Cyber Incident Response and Protocol Incident and Response Protocol Malicious web links are links that can download malware to your system and allow a hacker to gain access. Do not click on links in emails that you do not know. Be cautious of links on websites of unknown origins – it could download malicious code. If you click on a malicious web link, you must report this incident immediately to the DOT SOC. Social Engineering is a method used by hackers so they may gain information that allows them to access your system. The person usually pretends to be someone in authority such as a system administrator or helpdesk person seeking your help. ‹‹ BACK NEXT ›› 58
Cyber Incident Response and Protocol (cont) Incident and Response Protocol Social Engineering continued Never give out your logon ID or password to anyone. Do not respond to surveys from third parties. (non DOT sponsored surveys) Do not provide any information to anyone that does not have a “need to know”. Refer inquiries from potential social engineering proponents to the DOT Public Affairs office Malware is malicious code that may cause harm to your system or data. Malware may also allow unauthorized access to DOT systems. Never insert unauthorized media (USB devices, CDs, DVDs, etc.) into any system. Never install unauthorized software on any DOT system. Do not download unauthorized files – they might contain malicious code. ‹‹ BACK NEXT ›› 59
Cyber Incident Reporting Incident Reporting An Information System Security (ISS) event is a change in the everyday operations of a network or information technology service, indicating that a security policy may have been violated or a security safeguard may have failed. The DOT OCIO Cybersecurity Policy requires you to report all suspected or actual ISS incidents to the DOT Security Operations Center (SOC) within one (1) hour of their discovery. The DOT SOC contact information: – Hotline: 571-209-3080 – Email: [email protected] – You must support the SOC and the Information Systems Security personnel in the investigation of any incidents. After contacting DOT SOC, you must also report suspected or actual security breaches to your immediate supervisor. ‹‹ BACK NEXT ›› 60
Question 19 19. If you suspect you’ve witnessed or are currently involved in a cyber-incident, you must: (Select all that apply) Immediately shutdown and restart your computer to allow anti-virus protocol to address the suspected incident and validate occurrence. Report all suspected or actual ISS incidents or privacy breaches to the DOT Security Operations Center (SOC) within one (1) hour of their discovery. Support the DOT SOC and all related ISS personnel in the investigation of any incident. After contacting the SOC, report the suspected or actual incident to your immediate supervisor. ‹‹ BACK NEXT ››
Question 20 20. The DOT OCIO Cybersecurity Policy requires you to report all suspected or actual ISS incidents to the DOT Security Operations Center (SOC) within one (1) hour of their discovery. True False ‹‹ BACK NEXT ››
Summary By completing this Security Awareness Training course, you should: Have a better awareness of DOT Information Security policies and procedures. Understand the DOT Rules of Behavior Understand the need to protect DOT information and information systems. Understand your responsibilities for protecting DOT data and ensuring the availability and integrity of DOT information systems. Certify that you completed this portion of the course by pressing the button at the bottom of the screen ‹‹ BACK NEXT ›› 63
Security Begins with You! To report a security incident please contact the DOT Security Operations Center (SOC) [email protected] 1 (866) 580 1852 ‹‹ BACK NEXT ›› 64